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© Server-aided computation method and distributed information processing unit. 

© A server-aided computation method using a main unit for processing secret information and at least ^one 
binary unit for supporting a computation that said main unit executes, said method compns.ng Wo 

qeneraJng 6 from a secret key d using m random numbers R s (where i = 1 m) generated by sa.d mam unrt 

SIvCsecit keys n and d. transfer ring d' and n from sa.d main unit to said auxiliary un„ computmg the 
following .equation from a message block C in said auxiliary unit ^ mniitin ft M ' in „ id 

CMM' = <? mod n computing X using said random numbers R, and n in sa.d ma.n unit while compufcng M m said 

<Liiary unTtransLring m' from s'aid auxiiiary unit to sa.d main unit, and computing a message block M using 

p/jthe following equation in said main unit. 

CNJM = M' • X mod n 
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Server-aided computation method and distributed information processing unit 

The present invention relates to a server-aided computation method and a distributed information 
processing unit for secretly distributing information of a host computer into a plurality of auxiliary units 
which compute the information. 

When a security service is used with cryptosystem, it is very important to safely distribute and control 
5 key information. 

The open key cryptosystem RSA proposed by Rivetsi et. al has come to public notice as a 
cryptosystem for solving most of such key distribution problems. The the present invention is based on the 
RSA cryptosystem, which is described in detail. 

10 

Key generation 

First, generate any two large different prime numbers p and q. Generate n = p . q as a product of p 
and q being generated. Obtain L = x (n) = LCM (p - 1, q - 1) where X represents Carmichael function and 
is LCM (p - 1 . q - 1) represents the least common multiple of p - 1 and q - 1 . Select a proper integer e which 
is relatively prime against L ( 3 S e $ L • 1) and obtain the inverse element of multiplication, d, for e in the 
modulus L. 

e . d = 1 mod L (1 ) 

The (e, n) produced in the above method is a key for an encipherment. The key can be deciphered 
20 using (d. n). 



Encipherment and decipherment 



25 A plain text M and a code C are both integers less than n. They are enciphered by the following 

equation. In the following description, it is necessary to assume that any equal sign represents that a value 
on the left side is computed by using the right side. 
C = M e mod.n (2) 

M can be obtained from C in the following equation. 
30 M = C d mod.n (3) 

The conversion of the decipherment can be speeded up by using the secret information codes p and q 
of the receiving side. This method is described in a thesis written by J.J. Quisquater et al, "Fast 
decipherment algorithm for RSA public-key cryptosystem", Electron. Lett., 18, 21. pp, 905 -907 (Oct. 1982). 
To compute the value of equation (3), obtain it in moduli p and q rather than directly obtaining it in 
35 modulus n. Using the Chinese remainder theorem from the result being obtained, obtain the plain text. (For 
detail of the Chinese remainder theorem, see a thesis titled "Gendai Angou Riron (Modern Cryptosystem 
Theory)" by Ikeno, Koyama, et al., The Institute of Electronics, Information and Communication Engineers, 
(P. 19). 

To practically explain this method, define Ci, C2, di, dz, mi. and rri2 as follows, 
*J0 C1 = C mod.p. C2 = C rnod.q (4) 

di = d mod.(p - 1), d 2 = d mod.(q - 1) (5) 
mi = M mod.p, rri2 = M mod.q (6) 

At the time, the following equations are satisfied, 
mi = C1 dl mod.p (7) 
*5 rr> 2 = C 2 d2 mod.p (8) 

Thus, .the plain text M can be obtained as a root of the following simultaneous congruent expressions. 
M=m; (mod.p) (9) 
M=m 2 (mod.q) (10) 

The RSA cryptosystem is also used for a "digital signature." In this case, the equation is expressed as 

50 follows. 

S = M d mod n where a plain text is M and a signature text is S.. 

Although the RSA cryptosystem can be executed in the above method. Now, outline the cryptosystem. 
A. Open keys e and n which are uniquely assigned to each person are made open to the public in 
the form of a list. Thus, any one can access the keys. 
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• . i \ a „ ,^ nt cprret to the public. The person who has the secret keys 
B. Secret keys d. p. q. and \ (n) ar c Kept secret 10 u«s ^ 



should take care not to disclose them. 



15 



20 



;e care noi iu ui^iuoc 
C. Besides the encryption function, a signature function is also provided. 
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D To secure the safety of the RSA cryptosystem. it is necessary to select around 100 d.g.ts in 
decimal notion for the number of digits of the secret keys p and q. In this case, n becomes a value of 
around 200 digits in decimal notation, resulting in requiring a huge processing amount of computat.on for 
conversions between the RSA encipherment and decipherment. 

an operation method for maximizing the benefits of the RSA cryptosystem ,t is preferable to issue 
an .ndividuaf key. to store the key in a portable recording medium, and to have the person who owns he 
Jpv car v it In this case the item B described above is very important .n the system operation. As the 
key carry it. In mi 8 case, tne > i condi ,ion of the item B. an IC card .s most 

sXbTas":^ -d recording apparatus. However, when the RSA cryp- 

to ex^cme the RSATecrypting conversion and generate a signature in the IC card. Since the IC card has an 
accr s e con^o. function which compares a password, when the secret keys d. p q. and X (n, ,, converted ,n 
ZtcZ* the secret key d can be prevented from being divulged from the IC card. However because of 
the IC era. tne secrei ey insufficient computation capac.ty of the IC caro. 

'TenT- RS C A e code T^^T^^i. it is difficult to accomplish a practical processing speed. 
This «« U °JS ^ir'ame ien Tthe high speed method proposed by Quisquater et al. described above. 
LmoSn^isZJc^.ider to mount an RSA dedicated h.gh speed computat,on LSI on the .C card. 

" ^^i^SS "se the IC card as a key memory with the access control function 
3v Z no S a igh computation capacity other than the IC card, for example, a terminal unit 
' Z l,;,^ C ode r 0 nver«ion it is ooss.ble to accomplish the practical processing speed. 

ST™ ^TTe ^ce "s^o the terminal unit, un.ess the design, maintenance and oont ro. of 
Ihe Jrmina. unit are carefully done, d may be divu,ged to another person via the terminal un,t. In -odifcon. d 

^ZT^TJ^^X^^ the ,C card to efficient* perform the RSA code 
conversion using only the computation capability of the terminal unit without divulging .nformation relating to 
ml sec et key d to me terminal unit have been proposed. This method is named "server-a-ded coj^Uon 
Method" taken from the proposers. Although the server-aided computaUc ; n method 

method remarkably relating to the RSA code conversion ,s described m the thesis .tied Anzenna Ke.san 
Sot S Tsuite (Safety Computation Request Method)", by Kato. Matsumoto an d ma. Code and 
Inlo mation Secuhty Symposium Material F-3. February 1988. The method is described ,n the follow.ng. 

As a preparation, firstly obtain r p , r, and R which satisfy the followng equations. 
r p = R -'• mod (p - 1) (11) 

Sowever."^ rti's defined Sat x (r) = I (r) + - « " 2. r P and r q are selected so that 

becornis'alal. value; . (r) represents the bit .ength of r; w (r, represents the ^^^^^ 
(r) represents the number of times of the modu.o- multiplications necessary for the modulo- exponent.at.on 

where r is an exponent. 

In addition, compute the following equations. 
W p = q tq" 1 mod p) mod n, 
W Q = o (p~- mod q) mod n (14) 

in ine IC card. r p . r 0 , R. d. p. q. X(n). n. W c . and W q have been stored. 

Then, using the following equation instead of d 
d' - d " R mod X (n) (15) , ^ < . a 

the IC card requests the terminal unit to compute M where C is converted by d where 

M ^te^ni unburns m' being computed to the ,C card. The .C card converts m' into the plain text 
M by using the following equation. 

relatively small, m addition, to the terminal unit, the IC caro sends d convertec .by the JWJ^06> a 
than d. thereby enhancing the degree of safety. When the server-aided computat.on is performed 
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manner described above, the code conversion can be effectively performed with the computation capacity 
of the terminal unit as well as increasing the degree of safety or the secret key d. 

As described above, when secret information such as the RSA cryptosystem is computed, if a unit 
computes a huge processing amount of information, it takes much computation time. For example, if an IC 
5 card whose computation capacity is relatively small executes such information, it takes much computation 
time, in addition, it is possible to consider to use an auxiliary unit as well as the main computation unit to 
share the computation load of the secret information between them so as to reduce the computation time. 
However, if the secret information is directly sent to the auxiliary unit, it may be stolen by the unit or a third 
party. For example, when d is sent to an external unit which can execute the RSA computation at a high 
70 speed, the secret information necessary for the deciyption and generation of a digital signature is known by 
the external unit and thereby the information may be invalidly used. 

On the other hand, the secret information using the "server-aided computation" which has been 
proposed can be effectively converted using the computation capacity of an external unit without divulging 
the secret information. However, the external unit is not always reliable and the communication information 
75 may be changed by a third party. Thus, the requesting side cannot detect an invalidity of the requested 
side and a change of communication information by the third party. Consequently, the validity of the server- 
aided computation becomes doubtful. 

An object of the present invention is to provide a server-aided computation method and a distributed 
information processing unit for preventing secret information from divulging to a requested side of the 
20 computation, for effectively computing the secret information using the computing capacity of the requested 
side, and for really validating the server- aided computation. 

For example, the RSA cryptosystem can be used both for enciphering messages and for generating 
digital signatures. 

The first invention is a server-aided computation method using a main unit for processing secret 
informaiion and at least one auxiliary unit for supporting a computation that said main unit executes, said 
method comprising the steps of; 

generating d' from a secret key d' using m random numbers R ; (where i = 1 m) generated by said 

main unit having secret keys n and d; 

transferring d and n from said main unit to said auxiliary unit; 
30 computing the following equation from a message block C in said auxiliary unit 
m' = C d mod n 

computing X using said random numbers Rj and n in said main unit while computing M in said auxiliary 
unit; 

transferring M from said auxiliary unit to said main unit; and 
35 computing a message block M using the following equation in said main unit 
M = M • X mod n 

The second invention is a server-aided comoutation method using a main unit for processing secret 
information and at least one auxiliary unit for s; :rting a computation that said main unit executes, said 
method comprising the steps of: 
-iQ generating d from a secret key d using m random numbers Ri (where i = 1, .... m) generated by said main 
unit having secret keys n and d; 

transferring d and n from said main unit to said auxiliary unit; 

computing the following equation from a message block C in said auxiliary unit 

m' = C d mod n 

-5 computing X" 1 using said random numbers R; and n in said main unit while computing M in said auxiliary 
unit; 

transferring M from said auxiliary unit to said main unit; and 

computing a message block M using the following equation in said main unit 

M = m' • X" 1 mod n 

so The third invention is a server-aided computation method using a main unit for processing secret 

information and at least one auxiliary unit for supporting a computation that said main unit executes, said 
meihcd comprising the steps of: 

generating d from a secret key d' using m random numbers R, (where i = 1. m) generated by said 
main unit having secret keys n and d; 
55 transferring d' and n from said main unit to said auxiliary unit; 

computing the following equation from a message block C in said auxiliary unit 
M' = C d mod n 

computing X and X" 1 using said random numbers Rj and n in said main unit while computing M in said 
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auxiliary unit; 

transferring m' from said auxiliary unit to said main^unit; and 

C ^^:^£X^-~ the auxiliary unit on, y knows d. and n which have been 
ooen and C and M*. Since the auxiliary unit cannot directly know the secret key d. rt •» impossible to devise 
f funct^n JS. causes the auxiliary unit to steal the secret key d. The.ssct.on o the computat.ons for 
b«a n q X X or x, that the main unit executes can be conducted independently from the computat.ons 
that the sSond q 'unit executes. In addition, by restricting the bit length of random numbers r pi and r qi . the 
amount of the computation for obtaining X pi and X qi can be reduced. 

?hl fourth invention is a server-aided computation method using a main unit for process.* secret 
• » .- Inn * one auxiliary unit for supporting a computation that said main unit executes where.n 
•nformat.on and ^ ^STmUL an integer n given by a secret positive integer d which 
fs s"en" tc sa'd a^ary unit is raised to n-th power in accordance with an a.gebraic system wh «re the g.ven 
posftive prime numberor a composite number n is a modulus, said me hod co.pr, ,ng the steps of 

(a) separating said integer n into k(k>.D pos.fve mtegers n, (where j - 1 k) each o. wh.cn 

"'^Ib) siting said positive integer d into <m + 1) x k non-negative integers D u - [d i0 . f,, >. W 

? U n"e£n of said Positive integer n) and sets of 'the following m x k positive integers which are transferred to 

saic auxiliary unit 

° 2i = S'cS^W : « where - = 1 - m and j = 1 k in said auxi,iary unit and sendin9 

the resuits to said main unit; and ,_,.,„ v - M<>io mnri n and above Yn 

(d) computing in said main unit the following equation using k v c lues Y j0 - M mod n and .Dove „ 

...h-«h hpvp been comouted by said main unit 
h, : „ naye been co p ^ y = ^ r ^ ^..^ a resujt s whicn sat , sfies , he k 

simultaneous equations relating to S. 

The fourth invention can be also applied when said integer n ,s a pnme 

The fourth invention can be applied when said integer is a product of two pnme numbers. 

.n the fourth invention, since D, is kept secret to the auxiliary unit which supports the , man un.t the 
auxiliary unit cannot know D, unless it tries to execute the round robin method. Thus, it .s posable for the 
min unit to execute the computation without divulging the secret information to the aux.l.ary un t 

rTdStion whVn the computation speed of the auxiliary unit is satisfactorily h.gh. the reared 
computation can be executed at a higher speed than that executed only by -the ma.n unit. 

As a special case of the fourth invention, when m x n non-negatrve mtegers f„. f j2 fj m are selected 

1 nr 0 the comoutation load of the main unit can be reduced. 

.fa condZh where the value d,, is defined so that d, = d w is imposed .for at least one set of .ntege 
pair 8 { ? ) and (u^Hwnere 1 S i. uS k. 1 S i. and v S m). when the auxiliary unit executes M* 1 mod n. ,t 

, e s u , B - * convex «. «d 

verification means for mutually comparing the convex results of said p y fay ^ 
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determine whether the computation results are correct or not. 

The seventh invention is a distributed information processing unit having a main unit for processing 
secret information and at least one auxiliary unit for supporting a computation that said main unit executes, 
for executing a distributed process without divulging conversion of said secret information other than said 
5 main unit, said distributed information processing unit comprising: 

first conversion means for executing said conversion of input information; 
second conversion means for executing an identity conversion; 

and comparison means for comparing the conversion results of said second conversion means with said 
input information so as to verify the conversion results of said first conversion means. 

w In the seventh invention, by comparing the result obtained by conversion means using vectors created 
according to a special rule with input information, the main unit can execute the conversion without 
divulging the secret information intrinsic to the main unit, effectively execute the computation with an 
assistance of the computation capacity of the auxiliary unit of the requested side, and easily determine 
whether the computation request is correct or not without a communication for the verification and an 

75 assistance of the requested side. 

Figure 1 is a processing flow chart of a server- aided computation method embodying the first 
invention; 

Figure 2 is a perspective view of a terminal unit 2; 
Figure 3 is a block diagram showing the structure of an IC card 9; 
20 Figure 4 is a block diagram showing the structure of the terminal unit 2; 

Figure 5 is a flow chart showing the process of the terminal unit 2; 

Figure 6 is a process flow chart of a server- aided computation method embodying the second 
invention. 

Figure 7 is a block diagram showing a computation section and the unit; 
25 Figures 3 and 9 are diagrams showing a process where the fourth invention is structured by the IC 

card and the terminal; 

Figure 10 is a chart showing a process time characteristic: 

Figure 1 1 is a block diagram showing an outline of the fifth to seventh inventions; 
Figures 12 and 13 are a process flow chart embodying the fifth invention and an outline diagram 
30 showing the general structure. 

Figures 14 and 15 are a process flow chart and an outlined diagram of the general structural example 
of another embodiment; 

Figures 16, 17, and 18 are an outlined diagram of the general structural example, a flow chart of an 
example of the process, and a flow chart of another example of the process of another embodiment, 
35 respectively; 

Figures 19 and 20 are flow charts showing another embodiment; and 

Figures 21 and 22 are a flow chart of the process and an outlined diagram of the general structural 
example of another embodiment, respectively. 

An embodiment of the present invention is described in the following. For convenience of the 
40 description, as shown in Figure 1 , it is assumed that the requesting side of computation is the IC card and 
the requested side of computation is the terminal. However, the requesting side and requested side can be 
freely structured using devices and software in the range of the present invention. The embodiment is 
described as a server-aided computation where a cipher text is deciphered to a plain text. However, the 
present invention is also applicable to generate a digital signature by using the same conversion. 
-*5 Figure 2 is a perspective view of a terminal unit 2. 

As shown in the figure, the terminal unit 2 is composed of a main unit 1, a display 3, a keyboard 5. and 
a reader/writer 7. An IC card 9 is inserted into the reader writer 7. A floppy disk 1 1 is inserted into the main 
unit 1. 

Figure 3 is a block diagram showing the structure of the IC card 9. The IC card 9 is provided with an 
so I/O contact 13, a CPU 15, a data memory 17. and a program memory 19. 

Figure 4 is a block diagram shewing the structure of the main unit 1 . The main unit 1 is composed of a 
display controller 21, a central processing unit 23, a main memory 25. a first communication port 27, a 
second communication port 29, a floppy disk driver 31, and a keyboard (I/O) 33, each of which is connected 
via an internal data bus 35. The display controller 21 controls the display 3. The central processing unit 23 
55 controls the entire terminal unit 2. The main memory 25 stores programs that the central processing unit 23 
executes and data used for the programs. 

The first communication port 27 is connected to a communication line 12. The communication line 12 is 
connected to another terminal unit 2. The second communication port 29 is connected to the reader/writer 
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The floppy disk driver 31 drives the floppy disk n. The keyboard (I/O) 33 is connected to the keyboard 

Next using the terminal unit 2 and the IC card 9. the server-aided computation method is described. 
As a preparation, a proper set of random numbers, r p . r q . and R. which sat.s.y the equat.ons (18, ana 
5 (19) similar to the equations (11) and (12) is obtained. 
r ? = R mod (p - 1) (18) 

A°t lei™e, Is describe^above. the restriction where the result of the tallowing equation is relatively small 
is applied. 

'° X(rP> The X S ;multane 2 o 0 us equations (18) and (19) are solved after r p and r are properly defined^ The _ existing 
condition of solution and the solution are described on pages 31 - 35 of Sadaharu Takag, s , SHOTO 
S="sSuRON KOUG. (Elementary Theory o. Numbers)". Kycritsu Syuppan. The solut.on of the s.mu.taneous 
eq^«ons is uniquely obtained assuming that L = LCM (p - 1. q - 1) <s a modulus. If necessary, the 

js following equations are also computed. 
w 9 = q (q~ l mod p) mod n, 

£ ^d m C! T-d w^are constants which should not be always prepared. In the present 
, * . h r*» n \. (n\ n c\ w and w« have been stored in the IO card. 

„ ""irnSXr^ r,','. e^te'n,. - conversion « is *m * » **" 

using the following equation. 
z = (d - R) mod X(n) (22) 

Fiaure 5 is a process flow chart showing a process of the termmal unit 2. 

FiS the useMaces the ternunal unit 2 and then inserts the own «C card 9 into the reader wnter , <or 

\r r~tn. Q v.'hirh is connected to the terminal unit 2 (in step 501). 
' " The"u»r cresses proper keys on the terminal unit 2 to inform the terminal unit 2 that the ^perajon 
hereof is started. At the time, a Cock and power are supplied to the IC can, 0 va du > reader wnter 7 Arte 
.he IC card 9 is initialized (in step 502), the IC card 9 enters a commun.cat.on waiting s^te. The .erm.nal 
unit 2 requires the user to enter the own password to verify whether the the user of the IC card 9 „ val.d or 

30 "^er^pSword is not entered (in step 504). the elapsed time is checked (in step 505). When the 
=oecified time elapsed, a timeout occurs. Otherwise, the control returns back u> step 503 Whe 
Password s entered the password is transferred to the IC card 9 (in step 506). The password 'S compared 
^hTh ^ registered password stored in the IC card 9 and the compared result is transfers to the termma. 
35 LnJ 2 tin stLo 507)' When the compared result is OK (in step 508). the IC card 9 becomes a valid state 
" When he compared result is not OK. the IC card 9 becomes an ^.^^^ ^J ed 
command (in step 509), whether the entered command is an end commano or not (,n step 510) .s checked 
and a command subroutine is executed (in step 511 >. 

An execution of the command subroutine is described in the following. 
•n The oroces c that follows is shown in Figure 1 . . 

TUe te rS. unit 2 transfers the cipher text C to the IC card 9 (in step 101) and reads d a^n* 
have been written in the memory of the IC card 9 (in step 102). The terminal unit 2 computes M from the 
cipher text C using the two pieces of information (in step 103). 

= C d mod n (23) _ ^ ,. , , AC , 

The terminal unit 2 sends M which has been computed to the IC card 9 (m step US) 
On the other hand, the IC card 9 obtains a constant X according to tne equat.ons (24) .o (26) along ./.tn 
the computation in the terminal unit 2 (in step 104). 
X p = (C mod p)' p mod p (24) 
X Q = (C mod q)' Q mod q (25) 
so The above equations are computed and X is obtained using the following equation. 
X = {((X B ) ;p mod p) w p + ((X,)" 5 mod q) w q } mod n (26) 

The equations (24) to (26) are supplementally described in the following onnatinn<; for x x 

Although it can be considered that the equations (24) and (25) are simultaneous equat on for X X 

auxiliary variables w p and w q . . t lim j te H * 0 \Ue 

However, the method for obtaining X which satisfies the equat.ons (24 and (25) is °g ™^ > 0 1 
above method. For example, another solution is represented .n the theses on pages 905 907 J. 
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Quisquater et a!., "Fast decipherment algorithm for RSA public-key cryptosystem", Electron. Lett.. 18, 21. 
October 1982. 

Therefore, the obtainment of X and use of the auxiliary variables w p and w q by the equation (26) are not 
essential Rather, the obtainment of X which satisfies both the equations (24) and (25) is essential. Thus. 
5 this embodiment does not limit the method for obtaining X when the first invention is actually accomplished. 

Although the plain text M that the iC card 9 needed to obtain can be obtained by converting the cipher 
text C using the following equation. 
M = C d mod n (27) 

where M is obtained from M computed by the terminal unit 2 and X computed by the IC card 9 using the 
io following equation (in step 106). 
M = (M * X) mod n (28) 

In this example, the computation is executed in the IC card 9. The IC card 9 transfers M, which has 
been obtained, as the deciphered result to the terminal unit 2 (in step 107). 

The terminal unit 2 displays the deciphered result on the display and writes it to the auxiliary storage 
75 unit to complete the decipher process sequence. The user removes the IC card 9 from the reader writer 7 
and completes the operation. 

In the present embodiment, since the terminal unit 2 can easily obtain X from M and M in the process, 
it is necessary to note that the computation of the equation (28) can be executed in the terminal unit 2 
rather than the IC card 9. In this process, the terminal unit 2 does not transfer M to the IC card 9. Rather, 
2C the IC card 9 transfers X to the terminal unit 2. 

In the above process, ii is obvious that M can be correctly computed using the equation (28) as 
described below. 

From the equations (24) to (26) : the following equation is satisfied by the Chinese remainder theorem 
which has been mentioned as [Related Art]. 
26 X = C R mod n (29) 

On the other hand, the following equation is also satisfied. 
M" = C d modn = C (d * R,mod x(n > mod n 
= C d • R mod n = C d C R mod n (30) 

From the equations (29) and (30). the following equation is also satisfied. 
30 (M'* X) mod n = (C d C' R • C R ) mod n = C d mod n 
= M (31) 

Thus, it is obvious that the equation (28) is satisfied. 

Then, the computation load is considered in the following. The computations from the equations (18) to 
(22) can be prepared before the conversion is started. After the cipher text is given, it is possible to 

35 consider the computations only for portions which are executable. As steps to be executed after C is given, 
(1) Obtainment of X by the IC card 9 using the equations (24) to (26); (2) Computation of the equation (23) 
by the terminal unit 2; and (3) Computation of the equation (28) by the The IC card 9. In the above three 
steps, the computation (2) that the terminal unit 2 performs requires the largest computation load. ' 

Practically, this value can be represented as x <d'). However, when n is 512 bits, a modulo- 

*o multiplication for 512 bits should be executed 1024 times in the worst case. The step that requires the next 
largest computation load is (1). The equations which require major computation load in step (1) are the 
equations (24) and (25). They require a modulo-multiplication for 256 bits *(r p ) + x(r q ) times. By selecting 
small values for r p and r q in advance, the computation load can be reduced. The computation in step (3) 
that the IC card 9 performs is a modulo-multiplication for 512 bits one time. The major portions of the 

45 computation load are the computations in steps (1) and (2). In the first invention, particularly note that the 
step (1) and the step (2) are independent and they can be executed in parallel. For example, when a 
general purpose personal computer takes 30 seconds for executing the computation in step (2). if the bit 
length of r p and r q is determined to a proper value and thereby the computation time of step (1) executed 
by. the IC card becomes approx. 30 seconds, the total computation time for the decipherment could 

50 become around 30 seconds. When the periods of time necessary for the computations in steps (1) to (3) 
are represented as T1, T2, and T3, respectively, the total computation time T can be generally represented 
as the following equation. 

T = Max (T1, T2) + T3 — . Max (T1, T2) (32) 
where Max (A, B) is a function which selects a larger one of A and B. 
55 In the first embodiment, the process for obtaining M using the set of m' and (X p , X Q ) or using values 

equivalent to the set is not limited to the method described above. Another method for obtaining M is 
described in the following. 

Using the following two equations, from M. 
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m'„ = M' mod p (33) 

M' r = M' mod q (34) . 
by computing M* p and M q . the following two equations are obtained. 

M p = M p ' Xp mod p (35) 

M„ = M Q * Xq mod q (36). .... ^ ^. • ^ 

By simultaneously solving the equations (35) and (36). the requ.red M can be obtained. 

Then, as an embodiment of the second invention, according to Figure 6. the conversion where d .s 
obtained from d is defined using the following equation. 

t t^de^cHpt^tL^ follows 7 the startup of the terminal unit 2 and the initialization of the IC card 9 are 
omitted Rather, only the process for the computation is sequentially described It is assumed that R used 
The first embodiment is the same as that in this embodiment. Like the embodiment «^t«^*£ 
the terminal unit 2 transfers the cipher text C which has been ,nput .rom the outs.de to the IC card (.n step 
6?1) xl tminai unit 2 receives d and n from the IC card 9 (in step 602). Like the first emboo.ment. the 
terminal unit 2 computes m' which is given in the following equation (,n step 603). 

The°te7minal uni/fsends m' computed therein back to the IC card 9 (in step 607). 

On the other hand, the IC card 9 computes the following equations (in step 604) 
Xp = (C mod p)' p mod p (39) 
X q = (C mod q) rq mod q (40) 
and obtain X using the following equation (in step 605). 
X = {((X P )"> mod p) w 0 + «X q )'°- mod q) W 5 } mod n (41) 
In addition, by solving the following equation 

LcoIaineT^step 606). This solution is named the extended Euclidean algorithm. For detals. see the 
thesis "Gendai Angou Riron" described above. 

The value to be obtained by the IC card 9. namely M. is expressed as follows. 

This valuT°s d o n btained 3 irom the following equation using M* which has been computed by the terminal unit 2 
and X-' which has been computed by the IC card 9 (in step 608). 

The^C M caid X 9" , ?ra m ns d e r r s the^su.t being obtained to the terminal unit 2 and completes the process (in step 

609> .n the following, it will become obvious that M can be correctly computed from the equation (44). 

From the equations (35) to (38) and the Chinese remainder theorem, the following equat.on .s satisfied. 

X -1 - C' R mod n (45) 

On the other hand, since tvT can be expressed as follows, 
M' = C d mod n 

= QKO * S> mcd X (n) m0( j n 

= C d * R mod n 

= C d C R mod n (46) , _ - 

From the equations (29) and (30). (M ' X"') mod n = (C d C* C ) mod n 
= C d mod n 
= M (47) 

Thus, it is obvious that the equation (28) is satisfied. 

in the embodiment of the second invention, the process for obtaining M using M and the set of <X P . X q) 
or a value equivalent 10 this set is not limited to the method described above fcUo . virQ 

For example, by computing C- using the extended Euclidean algonthm m advance, tne following 
equations can be computed. 

= (C~- mod p) rD mod p (48) 

■ S; 9 ,™ d £ cTn * coJpld.' |l c » ««« * « « ' - !» 

In addition, from the following two equations using M 
m' p = M' mod p (50) 
; ' M q = m' mod q (51) . 

M'p and M' p are obtained and thereby the following equations are satisfied. 

M p = m' p • Xp" 1 mod p (52) 
M q = M' q * Xq" 1 mod q (53) 
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By simultaneously solving the equations (48) and (49). the required M can be obtained. The effect of the 
second invention is the same as that of the first invention. 

As an embodiment of the third invention, a more generalized method is described. In the first and the 
second embodiments, the unique random number R has been used in the algebraic system where the 
Carmichael function (n) is a modulus. In the embodiment of the third invention, a general format using m 

random numbers R; (i = 1 m; m > 1) is described. Firstly, it is assumed that each random number R, 

satisfies the following equations. 
R, mod p = r ip (54) 
R, mod q = r ip (55) 

Like the embodiment of the first invention, it is also assumed that the value of the following expression is 
properly restricted. 

m 

H { /t(r lp ) +^T(r iq )} (56) 
i=l 

As suggested in the equations (54) to (56), it is necessary to define r jp and r iq and then obtain R ( . 
Using R, obtained in the above manner, each conversion f; from x to y is defined, 
y = f, (R.. x) (57) 

Using the resultant conversion where m conversions are composed, d, is converted into d . 

d' = f m (R m f 2 (R 2 . f. (Ri. d)) ...) (58) 

As the practical definition of f t . the following three types can be used. 
y = v • ,'R-') nod X (n) (59) 
/ = (x - R,} mod X (n) (60) 
y = (:< - R ( ) mod X (n) (61) 

The equation (59) is the function which has been described. The equations (60) and (61) are the functions 
which have been represented in the embodiments of the first and the second inventions. By using any 
combination of the above functions, the server-aided computation can be accomplished. 

Like the above example, the IC card 9 sends d' which has been obtained in the equation (58) to the 
terminal unit 2. The terminal unit 2 obtains M' from the following equation. 
M' = C d mod n (62) 

The terminal unit 2 sends m' back to the IC card 9. The IC card 9 obtains M from M in accordance with 
the M cbtainment process determined by the conversion process of the equation (58). Like the above 
example, for the conversions according to the equations (60) and (61), along with the computation by the 
terminal unit 2. the following values necessary for the conversion for obtaining M from M can be computed. 
X F , = {C mod p) r ip mod p (63) 
Xq, = (C mod *)) r iq mod q (64) 

In this embodiment, the method for obtaining M is omitted because it can be easily accomplished by 
applying the prior art and the embodiments of the first and the second inventions. 

Therefor, according to the first, the second, and the third inventions, the method for accomplishing most 
of the processes of the terminal unit 2 and the IC card 9 at the same time is provided and thereby the 
process time necessary for the server-aided computation can be remarkably reduced. 

In addition, according to the first invention to the third inventions, it is not necessary to excessively 
-ncrease the process speed of the IC card, thereby reducing the costs of the terminal unit 2 and the IC card 
9. 

In the following, an embodiment of the fourth invention is described. 

This embodiment is described assuming that the IC card 9 and one POS unit are used as the main unit 
and the auxiliary unit, respectively. 

The system structure is the same as those shown in Figures 2 to 4. The computation section is shown 
in Figure 7. 

The invention can be expressed in a. general form where k Di and k O2 are provided so tha.t a modulus 
n can be separated into k factors each of which is a prime number. Namely, Dj,. D i2 (j = 1.2, ... k). Figure 
7 is shown in such manner. In this embodiment, firstly, the case of k " 1 is described. 

As shown in Figure 7, the IC card 9 stores a plurality of positive integers Di = [do. fi , h f m ] and the 

open information storage section 1b stores D 2 = [di, d 2 d m ], each of which satisfies the following 

equation. 

d=d 0 + f: * di + f 2 ' d 2 + ... + f m * d m (modX(n)) (65) 
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where D1 is secret information of the IC card 9 and is structured so that it cannot be normally read from the 

° UtS The user of the IC card 9 generates a module-exponentiation value expressed by the following equation 
from the digital information M using the IC card 9 and the terminal unit 2. 
S = M d mod n (66) 

It is a digital signature of the RSA cryptosystem. . 

In this embodiment, a generation of the digital signature is exempted. The present .nvent.on .s 
applicable also to the encipherment of the RSA cryptosystem. 

The computation process is described in the following by referring to Figure 8. 

The user inserts the IC card 9 into the reader writer 7 of the termtnal un.t 2. commands the start of the 
terminal unit 2 in accordance with a predetermined sequence, and enter the message M (in steps 801 to 
804). 

Thp messaae is detail of shopping, for example 

The IC card 9 transfers D 2 = [d,. d 2 d mJ and the value n of the modulus to the termma. un.t 2 (,n 

' 5 SteP Th 8 e° termin^unit 2 computes m y.'s using D 2 and „ rece.ved by computation sections 2a-. to 2a m as 
expressed in the following equation. 

y ; = M°' mod n (i = 1 m) (67) 

After that, the terminal unit 2 transfers y ; to the IC card 9 (in steps 825 and 807^ 

On the other hand, the IC card 9 obtains yo from the following equation us.ng the secret mformat.on do 
in a computation section 9c. 

/= *nlcd^cn."he IcfcU 9 obtains the signature S from :he following equation using y, y m received 

- r rom the terminal 2 (in step 808). 
-= 5 = v- * v. ,! - V2 !3 • - * Vm' m rr.od n (69) . 

Th^ IC card 9 transfers the signature S to the terminal ,nit 2 (in step 809). The termma. un.t 2 records 

the sionature S and completes the signature process. 

in" this embodiment, when f f m are represented in binary notat.on (0 or 1). the computet.*, of the 

power which is apparently present in the equation (69) can be omitted, thereby decreas.ng the computat.on 

so load of the IC card 9. 

There are following three major effects in this embodiment. 

(1) Since the secret information of the IC card 9 is not directly transferred to the terminal un.t 2. the 
terminal unit 2 cannot know the secret information d of the IC card 9. In addition, the secret ^ 
can be kept secret against a third party who tries to wiretap the communication between the IC card 9 and 

35 STustg 11 "a sufficiently high speed terminal unit 2. the process time can becomes shorter than that of 

the IC card 9 which executes the modulo-exponentiation computation. 

(3) By properly selecting the secret information of the IC card 9. the process time can be reduced. This 

effect becomes remarkable when do >= 2 and f f„ are represe ^dm binary notion. 

,c can be also applied to the key-in-common system prcposed by D.ff.e - Hellman. In this case, the 

differences are that n becomes prime number p and 

X <0 Anotherembodiment according to the fourth invention is described in the following. 

in this embodiment, like the above embodiment, generations of the RSA cryptosystem and a d.gital 
,< signature are exemplified using the IC card system. U is necessary to note that in the RSA cryptosystem n 
is the product of two large prime numbers p and q and n = o • q can be satisf.ed. 

In this embodiment, in the IC card 9. a plurality of positive integer sets D,, = [d.o. ''■»{• "' 2 

[d2e . f2 f ani] . and D 2 = [d, d m ] have been stored, each of which satisfies the following equat.ons. 

dsdle'- f., • di + f-2 * d 2 + ... + frn, * dn, (mod p - l) (70) 
.-sri-- -•- f- • * d- +■!■>■> ' d 2 - * ... + Ijn. * dm (mod q - 1) (71) 

Xhere D, ,'and D, 2 are secret information of the IC card 9 and they are structured so that they cannot be 

^eu^oTSilS ^generates a modulo-ex P onent,ation value expressed by the folding equation 
from the digital information M using the IC card 9 and the terminal unit 2. 
« S = M d mod n (72) 

Finure 9 shows process steps for computing the signature S in the embodiment. 

S^e 1 process steps of Figure 9 are the same as those of Figure 8 except for the power rema.nder 
computation section in step 940. only the step 940 is described in the follow.ng. 
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Firstly, the IC card 9 transfers the open information D 2 to the terminal unit 2 (in s te ps 905 and 934). 
The terminal unit 2 computes m y.'s using D 2 and n , which have been receivec. rronrt the following 



equation. 

v, = M di mod n (i = 1 m) (73) 



The terminal unit 2 transfers y; to the IC card 9 (in steps 935 and 907). 
On the other hand, the IC card 9 obtains y 10 and y 20 from the following equations -sing the secret 
information dio and d 20 stored in the IC card 9 (in step 908). 
y c = M dl ° mod p (74) 
yno = M d20 mod q (75) 

to The IC card 9 computes S1 and S2 using y, y m , which have received from the terminal unit 2, and 

y.o and y 2 o from the equations (74) and (75) (in step 908). 
S, = y.o ' yi m * Y2 n2 - .... * y m ftm mod p (76) 
S 2 = y 2 o * y:' 21 • yz' 22 ' ... • y m ,2m mod q (77) 

Since p and q are relatively prime, from the Chinese remainder theorem, the number S wmch satisnes the 
75 following equations and which is less than n is uniquely determined. The number S is the desired digital 
signature S. 
S- = S mod p (78) 
S: = S mod q (79) 

Although these equations can be solved in various methods, by computing Wp and Wq which satisfy the 
20 following equations 

W p = q (q- 1 mod p) (80) 
VV q = p (p- 1 mod q) (81) 

and by storing them in the IC card 9 in advance. S can be computed from the following equation. 
S = (S-. • W D - S 2 * W Q ) mod n (82) 

25 The IC card 9 transfers S to the terminal unit 2 (in step 909). The terminal unit 2 records =t and completes 
the signature generation process (in steps 936 to 938). 

In this embodiment, the same effects as (1) to (3) described in the above embodiment are accom- 
plished. Particularly, the effect (3) is remarkably accomplished when die £ 2 and d 20 ^ 2 and fi: t .... fi m . 
and f2i f 2 m are represented in binary notation. 

30 Lastly, the effect of shortening the process time in another embodiment of the fourth invention is shown 
in Figure 10. 

The vertical axis of the chart represents a relative value of the process time (assuming that the process 
time on which the IC card 9 generates a signature by itself is 1). The horizontal axis of the chart represents 
a relative value v of the process speed of the terminal unit 2 (assuming that the computation speed of the 
35 IC card 9 is i). 

Approximately, in the range of 20 $ v $ 1000, it is obvious that the process time of the server- aided 
computation method of the fourth invention becomes short. 

Consequently, according to the fourth invention, the secret information of the main unit such as the IC 
card 9 which operates as the main computation unit can be processed in shorter time than that executed by 
40 the main unit alone using the computation capacity of the auxiliary unit without divulging the secret 
information to the auxiliary unit. 

A method for determining whether the result obtained by the server-aided computation method 
described above is valid or invalid and the related units are described in the following. 

Figure 11 is a block diagram showing a system composed of the IC card 9 and the auxiliary unit. 
45 Figures 12 and 13 are a process flow chart embodying the fifth invention and an outline diagram showing 
the general structure, respectively. 

In the IC card 9. deciyption keys of the RSA cryptosystem have been stored. Now. assume that the 
keys are d, n, p t and q where p and g are large prime numbers which are kept secret to the outside except 
:or the IC card 9. The open modulus n is the product of p and q. d is a secret exponent. The exponent e 
so and the modulus n which structure the open keys may be open to the requested side of the computation. 
.The IC.card 9 is provided with verification means IB. 

The IC card 9 requests the terminal unit 2 to execute the deciyption conversion or generate a signature 
without divulging the secret key d. By a proper server-aided computation method, the requested side of the 
"computation obtains the message M which has been converted and the message S of the computation 
55 result. When the conversion has been validly executed on the requested side of the computation, it is 
necessary to satisfy the following equation. 
M - S e mod n (83) 

To check the equation, when generating the keys, it is necessary to consider the creation method of the 
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OPen As eX .ve.rKno"n. when l « LCM <p - 1. q - D is defined, the value o. e can be freely decreased without 



des r t::^^ tjszsez ***** «*» s « Trr; r rr 

aided computation in step 1206. This computation can be executed by the IC card 9 at a sat.sfactor.ly h,gh 

speed because the value of e is small. 

M 1he m n° d M' obtained in step 1207 is compared with the former message. When both of them are 
matched 'it can be determined that the computation by the terminal unit 2 has been valio.y executed. 

'n me server-aided computation method relating to the conversion f k accord.ng to the secret — n 
k when the reauesting side of the computation can easily execute the reverse conversion „ th.s method 
car b e geneS appL to any other server-aided computations as well as the RSA cry ptosy stem. Rgure 

shows the svsten- .structure where the server-aided computation method .s generally extended. 
13 r^T^ request^ 

rr^'S.^xra,r^ P^eU section S3, and compares with the input 

reve^ : conversion are compared in the comparison section 54. the server-aided computation can be rea.ly 

"preferring to Figures 14 and 15. another embodiment of the fifth invention is described in the 
fo„o vL ,n ml embodiment, a server-aided computation of a modu.o-exponentiat.on ,n tne D,ff.e - He.lman 
tvpe key-in-common protocol is described as an example. 

Firstly the Diffie - Heilman type key-in-common protocol .s described. Wh c n ^ data .s s„ a rea 
between the user A and the user B. the following process .s executed. 

As the preparation, it is necessary to generate for a user , a secret key x, wmpu*^ ope n key P 
a- mod o and open 0i to the public where p is a prime number and g is a pnm.t.ve root of the Galois field 
IfTp) which are common in a,, users. The user A obtains a common key K A3 by the computation o. the 
equation (85) using the open key p B of the user B and the own secret key x A . 
is _ n xa _ a xB*XA mod q (85) 

6 The user B obtains the common key K 3A by the computation of the equation (86) using the open key p A 
of the user A and the own secret key x B - 

v - 0a xb _ a YA # XB modp (86) , 

accords wfth K AB . In addition, it is difficult to obtain the secret key using the open key oecause .t 

' eq Zl SrXJn^TSc- be accomplished by executing the modulo-exponentiation ^ 

m °^Z^^Z^ P-Sof a modu«n r n where the prime number p is 
the modulus is described in the following. Assume that the requesting side of the £»J 
I and the requested side is the terminal unit 2 which has higher computation capacty than the IC card 9^ 
The 'c card 9 has stored a fixed secret key x. The base g which is the open key and tne : m o d u ^s p wh.ch 
is a prime number are known by both the requesting side and the requeste ;«' h ^ * can be 
The IC card separates the secret key x as expressed m the ^^J™-™"^^^ 
executed by the IC card itself or the center as a key issuance process. In addition. ,t is also poss.ble to 
store this process in the IC card as secret information, 
x = x 0 + f-x, + f 2 x 2 + ... + f m x m mod p - 1 (87) 
where fi is 0 or 1 and x 0 is a small value. 

a _ „ , f l n = fx, x, x„l and x 0 are named separatea members of the Key x. 

~T nese"x"'F D and c a e secreHnformation of the IC card 9. The separation method ofthe key x ., a 
, mod^catfon cf'the method of the RSA-S1 protocol (proposed in the thesis of Matsumotc 

ask services without violating privacy". 1989 Enciphermen, and in.ormat.on Secu,t> Symposium Text. 

The y se^ 8 e 9 r-aided computation protocol using the key separation is shcwn in Figure 1 4. . 

m The IC card 9 sends Di to the terminal unit 2 (in step 1401). 
5 . iTe terminal unit 2 receive, the separated memoec D: in-step -1410. computes z. < IS . S ^ 

following equation (88) in step 1411. and sends the resuitan; data Z = 1*. z 2 2 mJ .o the IC 

step 1412. 

2j = g xi mod p (88) 
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(3) The IC card 9 receives 21 in step 1402 and computes K (Ki) of the equation (89) ir Etep 1403. 
K = ( - 2, mod p) * g*° mod p 
f,= 1 

= g x mod p (89) 

5 f; is not limited to 0 and 1, but extensible to general positive integers. 

In this embodiment, a method for determining whether the process of the terminal unit 2 has validly 
executed the server-aided computation of the modulo- exponentiation and for detecting the result if it is 
invalid is provided. As one example, a method for checking that signatures obtained by different separated 
members of keys used for the server-aided computation protocol are matched is described in the following. 

io (1) The IC card 9 creates two separated members which satisfy the equation (21) and names them Di 
and D2. 

(2) The IC card 9 executes the process of the server-aided computation using D- and obtains the result 

K-.. 

(3) The IC card 9 executes the process of the server-aided computation using D 2 in step 1404. 
15 (4) The terminal unit 2 receives 0 2 in step 1413, computes the following equation in step 1414. 

W; = gY. mod p (1 < i < n). obtains the following in step ,1415. 
W 2 = [W : . W 2 . ... W„] and sends the result io the iC card 9. 

(5) The IC card 9 receives W 3 from the terminal unit 2 in step 1405 and obtains the result K 2 in step 
1406. 

20 (6) The IC card 9 compares K, with K 2 in step 1407. When they are matched, the IC card 9 determines 
that the computation result is valid in step 1408. When they are not matched, the IC card 9 determines that 
the computation result is invalid in step 1409. 

In the above process, it is possible to verify whether the terminal unit 2 has validly executed the 
process. 

?s However, when two keys are separated. x c should be different between them. If they are not different, 

when the terminal unit 2 computes the equation (88) using g as the base rather than g, the results K-. and 
K 2 are matched. 

It is obvious that the result of the computation of the equation (88) using g as the base differs from that 
using g as the base. The RSA-S1 protocol, which is the original form of the above protocol, is a method 
30 equivalent to X 0 = 0. In the method for verifying the computation result by executing the above method 
twice, an attack method using g instead of g is present. Thus, xo is added as a separated member of a 
key. 

The same result can be obtained by other methods as well as the method described in this 
embodiment. For example, the practical protocol can be generalized by increasing the number of the 
35 separated members to 3 or more. In addition, when computing Ki and K 2 , it is also possible to use a 
different server-aided computation method. 

Figure 15 shows a general structure of this embodiment. 

(1) Using first process sections 55 and 56 on the requesting side and the requested side, respectively, 
the result y- is obtained. 

-0 (2) Using second process sections 57 and 58 on the requesting side and the requested side, 
respectively, the resuit y2 is obtained. 

(3) By comparing yi with y 2 in a comparison section 59 on the requesting side, when they are 
matched, it is determined that the result is valid. Otherwise, it is determined that the result is invalid. 

An independent server-aided computation method which can be used for such compound type protocol 
-5 can be selected from those which have been proposed. 

Only the server-aided computation method for computing modulo-exponentiation necessary for the 
Diffie - Hei'man type key-in-common protocol has been described. In a general server-aided computation, 
the valicity of the computation result can be verified by the method described above. For example, for 
verifying the computation result of the RSA cryptcsystem. it is possible to use the same method, 
so By referring to Figures 16 and 17, another embodiment is described in the following. The concept of 

the method described in. the following is similar to that of the aoove embodiment. As outlined in Figure 16, 
generally, when information which has not been converted and that which has been converted are x and y;. 
respectively, in the server-aided computation method for the conversion y = f K (x) according to secret 
information k/ the conversion process is executed in first process sections 60 and 61. When reverse 
.55 conversion f K ~ 1 is present,- it is obtained by second process sections 62 and 63. A comparison section 64 
verifies the fidelity of the requested side of the computation using the reverse conversion by checking that 
x = f^ -1 (y) accords with x. 

The outline of the* protocol is as follows. 
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(1) x is converted using the server-aided computation of the forward conversion and the requesting side 

of the computation obtains y. 

(2) y is converted using the server-aided computation of -.he reverse convers.on and the requesting s,de 

of the computation obtains x . 

(3) The requesting side of the computation compares x with x and when they are matched, .t 

determines that the resuit y is valid. 

However in the first embodiment, the reverse conversion was applicable only when it could be eas.ly 
executed on 'the reauesting side. However, in this embodiment, the reverse conversion is applicable, even ,f 
the reverse conversion cannot be executed only by the requesting side. To accomplish that, in this 
embodiment, the server-aided computation is also applied to the reverse convers.on. 

The structures of practical forward and reverse server-aided computations should be considered 
depending on individual applications. 

It is necessary to note that the information necessary for the reverse server-aided computation is 
transferred to the outside of the unit on the requesting side of the computation as well as that necessary for 
the forward server-aided computation. Thus, the protocol should be structured in the manner that the secret 
information k is not divulged to the outside except for the requesting side even if the two types of 
information are combined. In addition, generally, the requested side sends information back to the 
requesting side one time each for the forward server-aided computation and the reverse server-aided 
computation In total, the information is sent two times. When the information which is sent two times .s not 
that which is not obtained in the valid process, the protocol should be structured so that the protocol does 
not allow the information to be passed to the last verification. 

Using an example of the server-aided computation of the RSA cryptosystem, it is possible to represent 
that the practical protocol can be structured. The protocol that follows is available when the computation 
load cf the reverse conversion is large, namely, the open exponent e is large. 

L,ke the embodiments described above, assuming tnat the requesting side of the computation ,s the tC 
card 9 and the requested side of the computation is the terminal unit 2 which has a higher computation 
capacity that the IC card 9. a practical example of the process is shown in Figure 17. 

The IC card 9 has stored own fixed decipher keys d, n. p. and g of the RSA cryptosystem where p and 
q are kept secret to the outside except for the IC card 9. d is a secret exponent, and the exponent e and 
the modulus n which structure the open keys may be open to the requested side of the computation. The 
server- aided computation method described in the above embodiment is practically exemplified in the 

f0 " 0 Tne 9 |C card 9 knows a random number R 0 which satisfies the following conditions and which is kept 
secret to the terminal unit 2. 
as (1) r p = R 0 mod (p - 1). 

(2) r p = R c mod (q - 1). and 

(3) The value of *(r p ) + x(r a ) is relatively small. 

The IC card 9 sends d' and n which have been computed from the equation d = (d - Rc) mod L to the 
terminal unit 2 (in step 1701). The terminal unit 2 receives them in step 1713. computes the equation 
S'^M" mod n in step 1715. and sends the result to the IC card 9 in step 1716. The IC card 9 receives S in 
step 1704 and obtain S from S-M* • s' mod n in step 1705. The above process is the forward server- 
aided computations. . _ . 

On the other hand, the IC card 9 has computed Q, = R, d mod n using another random number R, and 
the modulus n. The computation load for computing Q, from R, is large. However to reduce the 
computation load, it is possible to compute Q, in advance using a non- busy time of the CPU 15 of the IC 
card 9. When a plurality of random numbers and seis of their powers are generated in the non-busy time, 
signatures can be successively generated (or cipher texts can be successively deciphered). The set of R, 
and Ch can be also generated in the manner that firstly R, = Or mod n and Q, have been generated and 

50 '^^procedurTS the reverse server-aided computation =or determining the validity of S obtained as the 
result of the forward server-aided computation is described in the following. _ . 17 „ , 

(1) The IC card 9 computes the product of S and Q1. Which is Z=(S • SI) mod n in step 1706 and 
sends Z to the terminal unit 2 in step 1707. . in 

(2) The terminal unit 2 receives Z in step 1717. computes W*Z° mod n using the open exponent e in 
55 step 1718. and sends the result to. the IC card 9 in step 1719. 

(3) The IC card 9 receives the result in step 1708 and computes V S (W / R1) mod n ,n step 1709 

(4) The IC card 9 compares V with M in step 1710 and when they are matched, it determines the. the 
result S of the forward server-aided computation is valid. 
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In the following, the reason why the steps (1) to (4) above allows the validity of the forward server- 
aided computation to be determined is described. 

In the step (4) of the reverse server-aided computation, to allow V to be matched with M. V = (W / R1) 
mod n should be satisfied, thereby W = M * R1 mod n. When W - M * R1 mod n, it is determined that all 
5 the server-aided computation failed. In this protocol, the terminal unit 2 knows M. Thus, even if the forward 
server-aided computation failed, when the terminal unit knows R1 in the step (2), it may compute W = M • 
R1 mod n and cause the IC card 9 to generate an invalid signature. However, since the terminal unit 2 
knows R1 only when it correctly executes the forward server-aided computation, the validity of the forward 
server-aided computation can be determined in the above process. 
io By referring to Figure 18. a third embodiment is described in the following. This embodiment can be 
applied to verify a signature of the RSA cryptosystem being generated. The concept is that the verification 
of the forward server-aided computation is performed using the server-aided computation of the reverse 
conversion like the embodiment shown in Figure 12. 

The IC card 9 has obtained u. v, and w which satisfy the equation (90) using the open exponent e in 
75 advance. 

e = u * v + w (90) 

(1) The IC card 9 requests the terminal unit 2 to generate a signature without divulging the secret key d 
to the terminal unit d. At the time, the parameter w of the equation (90) should satisfy the following two 
conditions. (Condition 1) W * 0 (Condition 2) e * d' are not divided by w. 
20 (2) The IC card 9 sends S which has been obtained as the result of the server-aided computation for 

generating the signature in (1) to the terminal unit 2 in step 1806. 

(3) The terminal unit 2 receives S in step 1816, obtains U of the equation (91) where S is raised to the 
u-th power in step 1817. and sends U to the IC card 9 in step 1818. 
U=S U mod n (91) 

25 (4) IC card S receives U in step 1807 and computes V of the following equation (92) in step 1808. 

V=tT ' S w mod n (92) 

(5) The IC card determines whether V and the plain text M are matched in step 1809. When they are 
matched, the IC card 9 determines that S is the valid signature. Otherwise, the IC card 9 determines that 
invalid computations have been executed. 
30 Consequently, since V = s uv * w = S e mod n is satisfied, when the terminal unit 2 has correctly 
executed the computation, S = M d mod n is obtained, thereby V = S e = M dc = M. 

If the terminal unit 2 has not validly executed the computation in the step (1) above and it has obtained 
S' which is not valid S, it is necessary to consider whether the terminal unit 2 can obtain U which is passed 
only to the last verification. 

35 M = U v * S w mod n is the last verification equation. Although S w can be obtained by the terminal unit 

2. it is necessary to lastly obtain U which satisfies U v = M / S w mod n. Namely, v-th root in the modulus n 
should be . obtained.. Consequently, it is difficult to obtain U which can pass only the last verification 
equation. 

When the two conditions for W have not been satisfied, it is possible to change the structure in the 
^0 manner that only the last verification equation is passed without obtaining the v-th root in the modulus n. 

In addition, in the steps (3) to (5), the secret information of the IC card 9 has not been used. Thus, 
unless the secret information of the IC card 9 is divulged by the server-aided computation protocol for 
generating the signature used in the step (2), the secret information is never divulged. Since it is possible to 
consider that only the step (2) prevents the secret information from divulging, the secret information is 
-c5 never divulged through these steps. 

In these steps, V = 3 and W = 2 can be set depending on the value of the open key e. In this case, 
the computation amount that the IC card 9 executes becomes minimum and the modulo- multiplication is 
executed four times. Thus, when the value of the open key e is large, the process time can be beneficially 
reduced. 

so By referring to Figure 19, another embodiment is described in the following. 

The IC card 9 has created secret information t which is used in the server-aided computation for the 
reverse conversion in advance. Although t is a random number, it is restricted to the condition where the 
value of x (t p > + x(iq) is small as to effectively execute the verification where t p and t q are values defined in 
the following equations (93) and (95). These conditions are the same as those used in the server-aided 
55 computation of the above* embodiment. 
i p = t mod (p - 1) (93) 
t q = t mod (q - 1) (95) 

As shown in Figure 19, assume that the IC card 9 and the terminal unit 2 have obtained the signature 
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text S in accordance with steps 1901 to 1905 and steps 1912 to 1915, respectively. To verify the validity of 
!he signature text S. the IC card 9 and the terminal unit 2 execute steps 1906 to 1909 and steps 1916 to 

1918 r ,::ic O€CtivSly 

(i)7he IC card 9 computes Y = S> mod n in step 1906 and transfers Y being computed to the terminal 

"""Si The terminal unit 2 receives Y in step 1916. computes Z = Y« mod n using the open keys e and n 
in step 1917, and transfers Z being computed to the IC card 9 in step 1 9 18 - 

(3) The IC card 9 computes W = M' mod n in step 1907 and receives Z be.ng computed in step 1918 

%T™2 2 «£^^ - z = w in step 1909 and advances ,o step 1901 - r n 

determined that Z * W in step 1909. the terminal unit 2 determines that the steps being executed are 
invalid advances to steo 1910. and informs the user of the invalidity. 

^^S^llS^ n^ of the steps (D and (3, is supplemented in the foNowing Although Y 
= S< mod n is computed in the modulus n. the multiplication should be executed approx.mately log 2 t times. 
When the equation is computed by dividing it into two modulo-exponentiations relating , to , twc > prime 
numbers p and q structuring the modulus n according to the Chinese rema.nder theorem, the computat.on 

time .nTdd b L r n d th C e e number of times of computing the multiplication in the modulus p is x <t P > and that in the 
modulus q is x (t q ). When t is selected, if the condition where the value of x (t P > + x <t Q ) is small has been 
Imposed, the computations of the modulo-exponentiations of the steps (1) and (3) can oe effectively 
executed by a unit with small computation capacity sucn as the IC card 9 

When t is se.ected to a small value, although the computation load of the IC card 9 ,s reduced, the IC 
card 9 becomes weak against attacking the estimation of t in the round robm method. Thus, .t .s necessary 
to increase the value of 1 to some extent. . . 

' in the embodiment in Figure 19 shews a case where this verification method is associated «.th a 
special server-aided computation. However, this verification method is not limited to the special server-a,ded 

^CITJUISL method, when the open exponent e is a composite number, the liability of the 

verification may degrade. _ 

For example, assume that e is the product of two integers a and b. namely, e = a b. 

If the terminal unit 2 invalidly changes the server-aided computation result S to S - S mod n. the 

terminal unit 2 correspondingly computes Z = Y b mod n in the step (2) of the above 

computing Z = Y- mod n. In this case, since Z that the IC card 9 has obtained becomes M< from the 

deformation of the following equation, the terminal unit 2 succeeds in passing the verification. 

Z = Y° mod n 

= s' ,B mod n 

= S alb mod n 

= (S a0 V mod n 

= S el mod n 

= M ThTs 0 attack method succeeds only when e is a composite number, the factorization in prime factors is 
known, and .he result of the server-aided computation can be changed so that S = S> mod n .s sattshed. 
Thus, when a prime number is se.ected for e. this attack method fads and the verification becomes 
effective. Even if e is a prime number, the degree of safety of the RSA cryptosystem does not degrade. 
Next, another embodiment is described in the following. 

The protocol that follows is valid only when the computation load in the reverse conversion ,s large to 
some extent, namely, the value of the open exponent e is large. This method >s used to prevent the 
Hastad's attack in simultaneous transmission (J. Hasted. "On using RSA with low exponent ,n a public key 
network" Crypto 85. pages 403 - 408. 1985). to increase the value of e more than that of logn as to atow 
an V Sin text to be folded in the modulus n more than one time, and to become the open exponent e 
common in all the users by defining the quartic Format's number ( » 2- - 1 > to e ; 

B» referring to Figure 20. a protocol which uses a server-a.ded computat.on method which is a 
mJficaSTo the RSA-S2 proteco. (proposed in the thesis of Matsumoto ^ 
without violating privacy". 1988 Encipherment and Information Security Sympos.um Text. February 1988) ,s 

described in the following. - accordance with the following 

[1] The IC card 9 obtains the converted result & ot tne piam texi m 
protocol without transferring the secret key d to the terminal unit 2. 

(1 ) The IC card 9 separates the secret key d as expressed in the following equat.ons. 
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G=d op + f:di + + + fmdm ™0d p - 1 

d=d op + g>d> + Q?di + ... + Qmd™ mod q - 1 
D = [d« d? - d m ]. 
F = [f, f 3 ... f m ]. 
5 G = [gi 92 9m] 

where F and G are binary values. (Generally, fj and g s can be positive integers) However, the expression 
Weight (F) + Weight (G) + x <d op ) + x (d 0P ) £ L should be satisfied (where L is a parameter which is 
determined by the degree of safety). 

d. d 00 , F, and G are secret information of the IC card 9. As described below, since the terminal unit 2 
w cannot know d op . d oq . F. and G via the protocol, it cannot obtain the secret information d. 

(2) The IC card 9 sends the modulus n and D to the terminal unit 2 (in step 2001). 

(3) The terminal unit 2 computes the following equation and sends the plain text M and Z to the IC card 
9 in step 2014. 

Z, = M di mod n (1£i<m) 

75 Z = [Zi 2 2 .» Zm] 

(4) The IC card 9 computes S p and S q of the following equations in step 2004. 

S p ( TT Zi mod q) • tf^p mod p 

20 

S q ( TT Zi mod q) . K 4 ^ mod q 
g t =l 



25 By combining S p and S q using the Chinese remainder theorem (CRT), the result S is obtained. 

[2] The IC card 9 separates the open key e as expressed by the following equation, 
e = 2 • e' + 1 

[3] The IC card 9 computes U of the following equation and sends U and e to the terminal unit 2 in 
step 2005. 
30 U-S 2 mod n 

[4] The terminal unit 2 computes V of the following equation in step 2016 and sends V to the IC card 9 
in step 2017. 
VsU e mod n 

[5] The IC card 9 computes W of the following equation in step 2008. 
3 5 W=S * V mod n 

[6] When W and M are matched in step 2009, the IC card 9 determines that S is a valid signature. 
When they are not matched, the IC card 9 detects in what part of the protocol an invalid process has been 
executed.* 

In evaluating the safety of the above method, when the terminal unit 2 has validly executed the 
computation, it is obvious that the !C card 9 determines that "the terminal unit 2 has validly executed the 
computation." 

Then, it is necessary to consider whether the terminal unit 2 can pass the last verification and change S 
to an invalid signature or not. The verification equation of this embodiment is expressed as follows. 
M=S • V mod n 

cs Generally, to obtain V which satisfies the above equation, it is necessary to obtain the result S of the 
server-aided computation [1]. However, since the result S which has been raised to the second power is 
sent back, it is difficult to obtain S from the value being received. Although it may be possible to obtain the 
result S along with S 2 which is sent back [3] by properly selecting Z which is sent to the ciient in [1] - (3), it 
has not been known, thus far. The secret information which is newly added to the server- aided computation 

50 protocol for the verification is only the result S of the server-aided computation method [1]. All other 
information can be oL—^ned by the terminal unit 2 alone. In the server-aided computation method [1], even 
if the result S is ope; . the public, it seems that the secret keys of the clients may be not divulged. Thus, 
it is supposed that the secret keys will not be divulged via [1] to [6], 

On the other hand, in this embodiment, the computation load can be generalized by separating the 

55 open key e into the form of u •* e' + v. However, as described above, since e is an odd number, it is 
possible to set u = 2 and v = 1. In this case, the computation load of the IC card 9 necessary for the 
verification becomes minimum, namely, only twice multiplication in the modulus n. The communication data 
amount is around 1024 bits. Thus, for example, when e is a quartic Fermat's fiumber, if the communication 
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time and the server's process time are ignored, a high speed verification which is approximately 8 times 
that in the direct method can be accomplished. 

In thi« embodiment, the feature is that the result S of the server-a.ded computation [1] .s not tr c ns.er.«d 
to the terminal unit 2. However, depending on the server-aided computation protocol type used in [1]. it is 
possible to pass the verification protocol [2] to [6] described above. In other words, when the KS methoo 
described in the thesis "Secret Conversion of RSA Cryptosystem Using Server-Aided Computation (1989 
Encipherment and Information Security Symposium Text. February 1989). the method described in the 
thesis "How to ask services without violating privacy", (1989 Encipherment and lnformat.on Security 
Symposium Text February 1989). or the RSA-S1/S2 protocol (ditto) is used in the server-aided computation 
section if the terminal unit 2 can successively generate information to be sent back to the IC card 9 in <1>. 
it can know the result S of (1) by using U of (3). (In the general form of e = u ' e + v. when (e u) > = 1. 
for protocols except for the KS method, the signature can be stolen.) When the modified method of the S2 
protocol is used, the same type of the attack method has not been known. 

The modified method of the S2 protocol described in this embodiment contains both the KS methoc 
and the S2 method as a special case. In other words, the separation method of the secret information in tne 
modified method accords with the S2 method when d op = d oq = 0 is satisfied in the following equations. 
6=d op + fid, + f 2 d 2 + ... + f m d m mod p - 1 
d=d„„ + aid, + Q2d5 * ... + gmdm mod q - 1 

On the other hand when f, = g, = 1 is satisfied and other f , and g, are all 0. the modified method becomes 
.he KS method. However, as described above, in the KS method, there is an attack method where a random 
result of the server-aided computation is sent back and the last verification equation is passed and thereoy 
the terminal unit 2 can steal the signature. 

Against the modified method, the same type of the attack method has not been knovwv Thus u can Dc 
said that the modified method of this embodiment is superior to the KS method and the S2 method wner 
a.so considering the verification. . 

From the fact described above, the meaning of the separation method of the secret information in .he 
modified method can be explained. The terms d op and d OQ prevent the signature from being stolen. Tne 
terms f,d, + f 2 d 2 + ... + f m d m andg,d, + g 2 d 2 + ... + g m d m prevent the attack method where a ranoom 
result of the server-aided computation is returned and the last verification is passed. 

In addition, in the modified method, the number of variables is greater than those of the KS method and 
the S2 method (in the KS method, two variables d op and do„ are used; in the S2 method, tow vector 
variables F and G are used; while in the modified method, four variables d op . d oq . F. and G are used). Thus, 
the parameters can be more flexibly selected depending on the process speeds of the IC card 9 and the 
terminal unit 2 than those of other methods. Assuming that the communication time between the IC card 
and the terminal unit 2 can be ignored, when the process speed of the terminal unit 2 is very fast in the S2 
method, the process time can becomes the shortest. When the process time of the terminal unit 2 is. 
relatively slow, the process time of the KS method is the shortest in these methods. The modified methou 
described in the" embodiment is in the middle position of the above two methods. 

Then an embodiment of the seventh invention is described in the following. 

As described above, when the requested side of the computation has validly executed the conversion, 
the following equation (95) should be satisfied for M and S. 

M = The K^rd 9 separates the secret key d as expressed in the equations (96) and (97). In addition the 

IC card 9 comoutes the equations I = [i„ i, i M ] and J = D, » Jul which sat.sfy the equations (98) 

and (99). This process can be executed by the IC card 9 cr the center as the issuance process of the key 
or they can be also secretly stored in the IC card 9. 
d = d OD + ftdi + ... + f m d m mod (p - 1) (96) 
d = d oq + gidi + ... + g m d m mod (q - 1) (97) 



h 



ho\ + ... + i m d m mod (p - 1) (98) 



i = h 0G + j,di + + jmd m mod*(q- 1) (99) 

-here d d OQ h OD and h OQ are small values. D = [d«.. d 2 dm], F = [f-.. h U, G - [gi. g 2 . - QmJ. ' 

'I fi IT.. U 7- V fa? .... in .]/<W <W h op . and h oq are named separated members of the Key d. These 

d G F I J, d ao . d OQ . h op , and h oq become the secret information of the IC card „ 

The serveTaided computation protocol including the verification function using the key separated 

members (signature generation using the RSA cryptosystem) is shown m F.gure 21. 

(1) The IC card 9 sends D to the terminal unit 2 (in step 2101). * 

2 The terminal unit 2 receives the separated members in step 2110. computes Z ; , - M mod n (1 ^ 

S m) in step 2111. and sends the result Z = [2, . 22 z m ] to the IC card 9 in step 2112. 
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(3) The IC card 9 receives Z in step 2103 and computes the following equation using the separated 
members F, G, d op , and d oq in step 2104. When the terminal unit 2 has not committed an invalidity, the 
result of the computation is expressed as follows. 

m 

S p = ( TT 2i fl mod p) ♦ M dop mod p 
-i=l 

= M d mod p 

m 

S q = ( TT Zt gt mod q) * M** 0 * mod q 
i=l 

= M 4 mod q 

Then, by using the Chinese remainder theorem, with S P and S q , the signature S is obtained. 
When the values of f f and g ; are limited to 0 and 1. the computation of 

m 

TT* z t fi mod q 
i = l 

can be executed without using powers. 

Then, a method for determining whether the terminal unit 2 has validly executed its process as to 
determine the validity of the signature S is described in the following. 

(1) In step 2105, the IC card 9 computes the following equation using Z, which has been received from 
the terminal unit 2 in step 2103, and the separated members I and J. When the terminal unit 2 has not 
executed an invalid computation, the result is expressed as follows. 

m 

W p = ( TT zi u mod p) M aop mod p 
i = l 

= M mod p 

m 

W p = ( TT zi Ji mod q) M'" 10 * mod q 
i = l 

= M mod q 

Then, using the Chinese remainder theorem with W p and W q , W is obtained. 

(4) The IC card 9 compares M with W in step 2106. When they are matched, the IC card 9 determines 
the validity of the signature S (in step 2107). When they are no: matched, the IC card 9 determines that S is 
invalid (in step 2108). In the above process, the IC card 9 can determine whether the signature S has been 
generated by the valid process of the terminal unit 2. When the signature S has been generated in the valid 
process of the terminal unit 2, the IC card 9 has place trust in the validity of S. 

In evaluating the safety of the above process method, when the terminal unit 2 has validly executed the 
computation, it is obvious that the IC card 9 determines that "the terminal unit 2 has validly executed the 
computation." 

Then, it is necessary to consider the possibility of a case where the terminal unit 2 can pass the last 
verification equation and change the result S to an invalid signature. Assume that W = M is the last 
verification equation. W is generated by using the secret information 1, J. p, q, h op , and h oq which are known 
only by the IC card 9 in step 2105 in Figure 21. The terms h op and hoq serve to prevent an attack method 
for passing the last verification equation when the terms of iidi + ... + »md m and jidi + ... + j m d m are 
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conouted using a random server-aided computation result. Thus, it is difficult for the terminal unit 2 to 
separated member 2 which passes the verification equation when a s.gnature wh.ch „ generated 
.sine Z which has been received by the term, na, unit 2 is .nvaha . ^ ^ ^ ^ ^ 

In addition, the terminal unit 2 cannot Know a op . o cq i r. o « 
tprminal unit 2 to know the secret information d. 

The above separated members can be categorized as the following (1) to (4) depend.ng on whether or 
not there are common portions between F and G and between I and J. 

<i ) When the term h + 1 to the term k of F and G are the same as those of I and J. respect.vely: 
F = {d fh.fi.-i f k.0 0} 

G = (g<. -. gi.. 9h.>. -■ 9k. o. .... 0} 

I = (0 fh- I. — t 'k. Ik* I 'in} 

' = (2) When the first kVer'ms ofV and I are the same as those of G and J, respectively and the values of 
the term k + 1 to the term m of F and G are all 0: 

F = {f: fk.0 0} 

G = {gi g k . 0 0} 

I = (U fk. >k -1 'm} 

' = (3> When me'first k^ms of F and I are same as those of G and J. respectively and the values of the 
term k + 1 to the term m of I and J are all 0: 

F = {fl fk. fk- 1 f m} 

G = {gi gk. gk-i 9m} 

1 = (!•. f k . 0 0} 

J When there are no same terms between F and G and between I and J: 

F = '{f, f k . 0 0} 

G = {g ; g k . 0 0} 

I = {0 0, i k -i i m } 

J \h°en'.'consideV'the method for generating the separated members of the above -<1) to (4). 

(1) is a general form which contains both common terms and non-common terms between F and G and 
between I and J In this method, since the information necessary for the server-a.ded computation a nd the 
SSoL^uin-^ in one communication session, only the requesting side <^ ^ 
wh £t terms are used for the verification. Although all the terms of Z necessary for generatmg *e s.gnature 
are not checked (in other words, when I and J are interpolated with Z. the product of the terms whose value 
fs 0 n « J and the corresponding terms in Z is 0. Thus, even if the terms in Z are inva ^<^£^ 
cannot be determined), this method can satisfactorily prevent a snapshooting wh.ch passes the venf.cat.on 

' S I /even if zi is inva.id by combining two pieces of information, for ?*f 
are r.ot verified into invalid values or by separately sending and rece.v.ng the .nformat.on for the server 
ained computation and the information for the verification. „„»•„„ 

(2) aZs all the terms of Z necessary for generating the signature to be checked, thereby prevent.ng 
the snapshooting described above in this separation method. . n „.„ 

I (3). W whfch is compared with M for checking the validity is present dur.ng B^^J^^ 
Thus, if Z is an invalid result, it is possible to check the validity of Z before obtaining the stature S . In 
acoition. since an inva.id signature is not generated, the computation load can be reduced When he 
serrated members are generated in such a manner, although all the terms of Z necessary for generating 
Ee" signatuTe " J "o« clicked, this method according to the present invention allows the snapshooting 
described in (1) above to be satisfactorily prevented. . ^n^.,- th^ 

in (4), although all the terms are not checked, the method according to the present .nvent.on allows the 
snapshooting described in (1) above to be satisfactorily prevented. 

Figure 22 shows a system structure which is generally extended. . . ... k to the inDUt 

in' Figure- 22. the requesting side ofthe computation adds the secret ^-»J"J< » v ^ 
information x in a first process section 71. executes the pre-process of y - f- W and x * ' 
assistance of a process section 74 of the requested s.de. and obtains the P^J« ^^^.'SSd 
; section 75. After that, the requesting side executes the post-process of x - g. . W to obtam x , n a 
process section 72. compares x' with x in a comparison sect.on 73. and then ver.f.es the process 

obtained in the third process section 75. infnrmAtion x with the 

Thus, in the seventh invention, the comparison section 73 compares the mput .nformat.on x w.tn 
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information x' obtained in the second process section 72 and checks the computat.on result. 

Consequently according to the fifth, sixth, and seventh inventions, when the conversion relat.ng to 
--ecret information is executed separately by a plurality of units, the secret information is not divulged to 
other than a specific unit, in addition, the conversion is executed with an assistance ot the computat.on 
capacity of the requested side. Moreover, since a disturbance of the computation commuted by the 
requested side and/or the third party can be detected, the server-aided computation relat.ng to the secret 
information can be much precisely executed. 



io Claims 

(1) A server-aided computation method for computing d-th power of integer C modulo n using a main 
unit for executing said computation with secret key d and at least one auxiliary unit for supporting a 
computation that said main unit executes, said method comprising the steps of: 

75 generating d' from a secret key d using m random numbers R; (where . = 1 m) generated by sa.d main 

unit having secret keys n and d; 

transferring d' and n from said main unit to said auxiliary unit; 

computing the following equation from a message block C in said auxiliary unit 

m' = C mod n 

20 computing X using said random numbers R; and n in said main unit while computing M in sa.d aux.l.ary 

unit; 

transferring m' from said auxiliary unit to said main unit; and 

computing a message block M using the following equation in said mam unit 

M = M' * X mod n 

25 [2) A «=erv5f-aiced confutation method for computing d-th power of integer C modulo n using a main 

unit for executing said computation with secret key d and at least one auxiliary unit for supporting a 
computation that said main unit executes, said method comprising the steps of; 

generating d' from a secret key d using m random numbers R, (where i = 1 m) generated by said main 

unit having secret keys n and d; 
30 transferring d' and n from said main unit to said auxiliary unit; 

computing the following equation from a message block C in said auxiliary unit 
M' = C d mod n 

computing X" : using said random numbers R, and n in said main unit while computing M in said auxiliary 
unit: 

35 transferring m' from said auxiliary unit to said main unit; and 

computing a message block M using the following equation in said main unit 
M = m' * X~ ; mod n .. 

(3) A server-aided computation method for computing d-th power of integer C modulo n using a main 
unit for executing said computation with secret key d and at least one auxiliary unit for supporting a 

*o computation that said main unit executes, said method comprising the steps of: 

generating d' from a secret key d using m random numbers R; (where i = 1, .... m) generated by sa.d main 
unit having secret keys n and d; 

transferring d' and n from said main unit to said auxiliary unit; 
computing the following equation from a message block C in said auxiliary unit 
45 M = C d mod n * . 

computing X and X"' using said random numbers R s and n in said main unit while computing M in said 

auxiliary unit; 

transferring M # from said auxiliary unit to said main unit; and 
computing a message block M using M , X t and X~\ 

(4) A server-aided computation method for executing a computation to raise a posittve integer M to the 
d-th power modulo n, using a main unit which has secret information d and at least one auxiliary unit for 
supporting said computation, said method*comprising the steps of: 

(a) decomposing said integer n into k <k 1) positive factors n; (where j = 1 k). which are 

relatively prime to each other; . 

(b) decomposing said positive integer d into (m + 1) k secret integers D.j = [d i0 . f i1t f j2 t jm j (t.or j 

= 1. .... k) stored in said main unit and m x k public integers D 2i = {dp. d j2 , .... d jm ] (j - 1 k) 

which satisfy the following k sets of equations . . 

d-d j0 + fit * d,i + f p • d i2 + ... + f im • d jm (modx^)) where j = 1 k and X(n,) is the Carmichael 



50 



55 
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function of said positive integer n f ; . 

,UMLl,ul H . ^ ' v _ h/ , di i 0 V(hprp i = 1 m and i = 1 k and senoing 

(c) computing in said auxiliary unit Yjj - M d| mod n v.nere i i y 

re Tj; S co m ttg t said ml unit the foHowing k va.ues S, using Y, 0 - M*» mod n and V, which have 

been computed by said main unit «■ .l. i 

o v • v «i« • Y '* Y "i" mod n, where j = 1. ... k and (e) obtain.ng a result S which satisfies the k 

simultaneous equations concerning S as follows: 

S; = S mod rij (for j = 1 k) . 

(5) The server-aided computation method of claim 4 wherein said integer n ,s a prime numoer. 

(6) The server-aided computation method of claim 4 wherein said integer is a product of two pr.me 

""^The server-aided computation method of claim 4 wherein each of m x k non-negative integers („. f j2 . 

'"" 'TsJVhe 0 server-aided computation method of claim 4 wherein values d„ is defined so that they satisfy a 
condition d, = d uv at least for one set of integer pairs (i. j) and (u. v). 

(9) A distributed information processing unit having a main unit for storing secret information and at 
, eas one auxi.iary unit for supporting a transformation that said main unit executes .or ^ 
distributed process without disclosing said secret information necessary for said transformation to other ,han 
said main unit, said distributed information processing unit comprising: 

transformation means for transforming input information and inverse transformation means for inversely 

transforming the transformation results; and .... m ^=r, e 

verification means for comparing the inverse transformation results of sa.a inverse transformation means 
with -aid input information so as to verify the transformation results of said transformation means. 

.10) A distributed information processing unit having a main unit for storing secret .mormat.on and at 
leas'! one auxiliary unit for supporting a transformation that sa.d main unit executes for executing a 
distributed process without disclosing sa.d secret information necessary for sa.d tran S rormat,on to otner than 
said main unit, said distributed information processing unit comprising: 

a plurality of transformation means for executing said transformation of input information: and 

verification means for mutually comparing the transformation results of sa,d plurality of transformation 

mea ( Tl) The distributed information processing unit of claim 9 wherein said secret information is not 
disclosed to said auxiliary unit and distributively processed in said main unit and said auxiUary unit. 

(12) A distributed information processing unit having a main unit for storing secret mrormation and „t 
least one auxiliary unit for supporting a transformation that said main unit executes for executing a 
distributed process without disclosing said secret information necessary for sa,d transformation to other than 
said main unit, said distributed information processing unit comprising: 
first transformation means for.executing said transformation of input information; 
second transformation means for executing an identity transformation; and 

comparison means for comparing the transformation results of said second transformation means wth sa,d 
input information so as to verify the transformation results of said first transformation means. 
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© A server-aided computation method using a 
main unit for processing secret information and at 
least one auxiliary unit for supporting a computation 
that said main unit executes, said method compris- 
ing the steps of generating d from a secret key d 

using m random numbers Rj (where i = i m) 

generated by said main unit having secret keys n 

and d. transferring d' and n from said main unit to 

said auxiliary unit, computing the following equation 

from a mossage block C in said auxiliary unit 

M' = C' mod n computing X using said random 

numbers R, and n in said main unit while computing 

M' in said auxiliary unit, transferring M' from said 

auxiliary unit to said main unit, and computing a 

message block M using the following equation in 

said main unit. 

M = M * X mod n ' 
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